Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

 Bot a small program to remotely control a computer  Botnet is a network of zombies, i.e. compromised computers under control of an attacker.

 In following picture [1] shows the life- cycle of a botnet infection and the contact with the botmaster :   Infection strategies used by the masters are often seen when examining other malware such as self- replicating worms, viruses, etc. but also can be spread by making a victim execute some form of malicious code on his machine. Many attachments are simply these executable files. 

    The next step taken by a new bot is to contact a DNS server for the resolving of the DNS name of the IRC server (the IRC server’s name is given in the executable and a DNS query is made to acquire the server’s IP address). This step allows the master to retain control of the net also if the IP address associated with the DNS name of the IRC server gets black- listed.

 The next step taken by a new bot is to contact a DNS server for the resolving of the DNS name of the IRC server (the IRC server’s name is given in the executable and a DNS query is made to acquire the server’s IP address). This step allows the master to retain control of the net also if the IP address associated with the DNS name of the IRC server gets black-listed.

 The fact that IRC channels allow several forms of communication as well as data dissemination and that many open-source implementations are available make this protocol just suitable for botmasters.   As the C&C channel is also specified in the binary, the bot can now establish an IRC connection with the server and join the given channel. For this purpose, three steps of authentication are required: first of all the bot authenticates itself to the server with the PASS message, then it also has to authenticate itself with a password, to the master in order to join the channel.

 Lastly the botmaster also needs to authenticate himself to the bot before being able to send any command. The first two aim to keep outsiders away from the C&C channel, and the last one prevents the bots from being overtaken by other masters. 

 When the join has successfully occurred, the bot executes the channel’s topic, which contains the default commands that every bot has to execute. Often it occurs that all bots on the channel are able to hear every exchanged message and this characteristic is used on this paper for the acquisition of insider information. However, sometimes broadcasting is not allowed to prevent saturation. 

 3 things are required for it & they are:  bot:- a small program that can remotely perform certain functions.

C&c server

 Network of zombies

Where to find a bot  Find a script on the Internet & purchase a ready-to-go bot.  Prices vary from $5 to $1000 depending on the bot functionality.  Write yourself.

 C&C server  C&C server is simply a powerful computer which will give you direct access to zombies, or if needed will store stolen data. For example, to install IRC server

 Dedicated computer with installed software (fairly legal).  Buy a domain, since it should be set up as a web server Hosting - to make the server accessible from the Internet, it should be hosted by a hosting company.

 Creating zombies  Purchase/rent a network of zombies & compromise computers yourself.  Using software packages such as Mpack, Icepack and WebAttacker,using your brains.

 Agobot/Phatbot/Forbot/XtremBot:-  This is probably the best known bot. Currently, the AV vendor Sophos lists more than 500 known different versions of Agobot (Sophos virus analyses) and this number is steadily increasing. The bot itself is written in C++ with cross-platform capabilities and the source code is put under the GPL.Sophos virus analyses.

 mIRC-based Bots - GT-Bots:-  We subsume all mIRC-based bots as GT-bots, since there are so many different versions of them that it is hard to get an overview of all forks. mIRC itself is a popular IRC client for Windows. GT is an abbreviation for Global Threat and this is the common name used for all mIRC-scripted bots.mIRC

 Kaiten:-  This bot lacks a spreader too, and is also written for Unix/Linux systems. The weak user authentication makes it very easy to hijack a botnet running with kaiten. The bot itself consists of just one file.

 Q8 Bots:-  Q8bot is a very small bot, consisting of only 926 lines of C-code. And it has one additional noteworthiness: It's written for Unix/Linux systems. It implements all common features of a bot: Dynamic updating via HTTP-downloads, various DDoS- attacks (e.g. SYN-flood and UDP- flood), execution of arbitrary commands, and many more.

 Often botnets are used for Distributed Denial-of-Service ( ddos)attack. A DDoS attack is an attack on a computer system or network that causes a loss of service to users, typically the loss of network connectivity and services by consuming the bandwidth of the victim network.

 Sniffing Traffic:-  Bots can also use a packet sniffer to watch for interesting clear-text data passing by a compromised machine. The sniffers are mostly used to retrieve sensitive information like usernames and passwords. But the sniffed data can also contain other interesting information.

 Software defaults should be the most secure settings, not the least secure & implement intrusion prevention systems. Implement spam filtering (w/CBL) and antivirus.  Implement organizational firewall and content filtering.  Blackhole botnet controllers and phishing websites upon verification & send regular notifications to downstream customers of detected issues.  Implement detection and filtering mechanisms where/when feasible.